/*
 * Copyright (C) 2021 Bosch.IO GmbH
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * SPDX-License-Identifier: Apache-2.0
 * License-Filename: LICENSE
 */

package org.ossreviewtoolkit.model

import java.net.URI

/**
 * A data class representing detailed information about a vulnerability obtained from a specific source.
 *
 * A single vulnerability can be listed by multiple sources using different scoring systems to denote its severity.
 * So when ORT queries different providers for vulnerability information it may well find multiple records for a single
 * vulnerability, which could even contain contradicting information. To model this, a [Vulnerability] is associated
 * with a list of references; each reference points to the source of the information and has some detailed information
 * provided by this source.
 */
data class VulnerabilityReference(
    /**
     * The URI pointing to details of this vulnerability. This can also be used to derive the source of this
     * information.
     */
    val url: URI,

    /**
     * The name of the scoring system to express the severity of this vulnerability if available.
     */
    val scoringSystem: String?,

    /**
     * The severity assigned to the vulnerability by this reference. Note that this is a plain string, whose meaning
     * depends on the concrete scoring system. It could be a number, but also a constant like _LOW_ or _HIGH_. A
     * *null* value is possible as well, meaning that this reference does not contain any information about the
     * severity.
     */
    val severity: String?
) {
    companion object {
        /**
         * Return a human-readable string that is determined based on the given [scoringSystem] and [severity].
         */
        @Suppress("UNUSED") // This function is used in the templates.
        fun getSeverityString(scoringSystem: String?, severity: String?) =
            when (scoringSystem?.uppercase()) {
                "CVSS2", "CVSSV2", "CVSS:2.0" -> severity?.toFloatOrNull()?.let { Cvss2Rating.fromScore(it) }
                "CVSS3", "CVSSV3", "CVSS:3.0" -> severity?.toFloatOrNull()?.let { Cvss3Rating.fromScore(it) }
                else -> null
            }?.toString() ?: "UNKNOWN"
    }

    /**
     * The rating attaches human-readable semantics to the score number according to CVSS version 2, see
     * https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/#CVSSv3-Scoring-Scale-vs-CVSSv2-6.
     */
    enum class Cvss2Rating(private val upperBound: Float) {
        LOW(4.0f),
        MEDIUM(7.0f),
        HIGH(10.0f);

        companion object {
            /**
             * Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
             */
            fun fromScore(score: Float): Cvss2Rating? =
                when {
                    score < 0.0f || score > HIGH.upperBound -> null
                    score < LOW.upperBound -> LOW
                    score < MEDIUM.upperBound -> MEDIUM
                    score <= HIGH.upperBound -> HIGH
                    else -> null
                }
        }
    }

    /**
     * The rating attaches human-readable semantics to the score number according to CVSS version 3, see
     * https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale.
     */
    enum class Cvss3Rating(private val upperBound: Float) {
        NONE(0.0f),
        LOW(4.0f),
        MEDIUM(7.0f),
        HIGH(9.0f),
        CRITICAL(10.0f);

        companion object {
            /**
             * Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
             */
            fun fromScore(score: Float): Cvss3Rating? =
                when {
                    score < 0.0f || score > CRITICAL.upperBound -> null
                    score == NONE.upperBound -> NONE
                    score < LOW.upperBound -> LOW
                    score < MEDIUM.upperBound -> MEDIUM
                    score < HIGH.upperBound -> HIGH
                    score <= CRITICAL.upperBound -> CRITICAL
                    else -> null
                }
        }
    }
}
